The AppSensor session at the OWASP World Summit was a great success. The focus of the discussion was where should AppSensor go next. We covered all of the available items within the AppSensor project (AppSensor.jar w/ESAPI plugin, detection points guidance, extensive documentation, live running demos defendtheapp.com, etc) and posed the question "What do we need for your company to adopt AppSensor within your applications". There was lots of energy in the room and all 50+ seats were filled. AppSensor is really starting to take off and I'm excited at these results. These ideas represent the next areas for the project to tackle in order to obtain wide adoption.
Here are the outputs of that discussion as action items for the project. Consider this an invitation for anyone to jump into the AppSensor project and lead one of these areas to success (email me and I can give you more info and support your efforts)
* Concern over False Positives
** Article to discuss why AppSensor false positives won't result in negative system performance or adversely impact non-malicious users. Target Audience: Product Managers, CSOs
* Where is AppSensor integrated into development
** Slides or article to demonstrate process of selecting AppSensor detection points during the threat modeling phase. Notes on how to communicate these requirements to developers. How to test proper deployment
* Is there an AppSensor-like implementation that could be handled by operations?
** This is not the traditional AppSensor approach (e.g. within the code), but we could do further research on aspect oriented implementations or real time log analysis for attack monitoring
* Integration with libraries and frameworks
** Sub project to submit patches for common frameworks to log obvious attack types. The goal is to at least get the logging of attack scenarios in place by default. This makes it easier to adopt an AppSensor approach onto these libraries or frameworks
** Possible first target : Sonar (sonarsource.org) - May need to get more info on this idea
* Testimonials from companies using AppSensor or AppSensor-like capabilities
** This wil help raise confidence in the project for potential new adopters
* Software - Code versioning, patching, support ?
** This is a common concern for open source software and OWASP code. What can we do to help make our code more digestible by a company looking for these more stringent development patterns?
* Link in with Fraud systems
** The AppSensor project has been contacted by a large bank to help develop a strategy for detection of fraud through session hijacking and phishing.
Michael Coates
OWASP